[TriLUG] host-based dynamic app/port firewall?
Kevin Hunter
hunteke at earlham.edu
Mon Oct 29 20:22:28 EDT 2012
At 12:57am -0400 Wed, 24 Oct 2012, Kevin Hunter wrote:
> I've found myself pondering the fact that I have intermittent network
> services on my machine. That is to say, sometimes I start Apache,
> disable SSH, or temporarily fire-up a DHCP server.
>
> IPTables is fan-friggin-tastic, but if I at all want to nerd out and
> enable/disable the ports when the service is (not) running I must do
> it manually. [Is there some tool to automate this dynamically, based
> on in-use programs and port bindings?]
Thanks Aaron, Matt, Cristóbal, Kevin, and Bill. (Sorry for the delay:
ebbs and flows in personal life.)
To summarize:
- Given that there is either a publicly accessible service or no
service at all, there's no real reason to turn alter the firewall
dynamically. A port with nothing listening on it is effectively
as good as a closed port.
- Consequently, no one knows of a tool for this purpose, other
than self-made scripts. Perfectly reasonable.
- However, if a tool were to be made, it might be of use to
various corporate entities who routinely update policies on this
front.
- There's also the fact that one size does not fit all. For example,
should SSH be available only to a subset of the intranet, or to the
whole internet?
- There is the possibility of allowing only a single application to
bind to a port (e.g., httpd to port 80), using AppArmor or SELinux,
to (for example) guard against rogue code using a privileged port.
Thus, the answer to my question is "No; no tool currently exists, for
the stated reasons above."
Thanks all,
Kevin
More information about the TriLUG
mailing list